SPF and domain keys

project722 project722 at gmail.com
Mon Aug 29 14:38:42 UTC 2016 

Awesome, Actually one more question. If we allow folks from another domain
to send as us is there a chance anywhere in any of the email "from" headers
it would reveal the "true" domian?

eg..

folks at alphazulu send as @foxtrot.com.

Would @alphazulu.com appear anywhere in the headers?

On Mon, Aug 29, 2016 at 9:34 AM, Mike Ragusa <mragusa at gmail.com> wrote:

> Glad to help! If you need a low cost DMARC reporting service, I would
> recommend www.dmarcian.com
>
> On Mon, Aug 29, 2016 at 10:33 AM project722 <project722 at gmail.com> wrote:
>
>> Thanks guys - very helpful information indeed.
>>
>> On Mon, Aug 29, 2016 at 9:08 AM, Mike Ragusa <mragusa at gmail.com> wrote:
>>
>>> Ideally it is best to use both technologies and then put DMARC on top to
>>> ensure reporting and enforcement of the policies. DKIM cryptographically
>>> signs your messages and SPF informs receiving mail servers of who is
>>> allowed to send on your behalf.  You should not think of using only one or
>>> the other as they work best together to accomplish the same goal. When
>>> utilizing DMARC on top of it all, you get the added benefit of reporting
>>> from over 200 different ISPs from around the world. In general, DKIM is
>>> first used as the authentication method and SPF as a backup.
>>>
>>> If you have a valid DKIM key, then failed SPF should not matter but if
>>> you have a failed DKIM key and SPF passes, there still may be
>>> deliverability issues to account for. If you do enable DMARC, then your
>>> DKIM and/or SPF headers must align with your domain or you will encounter
>>> deliverability issues depending on how your policies are setup. DKIM in
>>> relaxed mode allows for mail to pass the test with the same parent domain
>>> but canonicalization requires that your domains match up exactly as stated
>>> ie example.com and mail.example.com are not the same and will fail. SPF
>>> with DMARC requires two or more FROM headers (
>>> https://tools.ietf.org/html/rfc2822#section-3.6.2) match up exactly or
>>> it will fail SPF checks but without DMARC anyone listed in the sender
>>> policy can send on your behalf. While this may seem strange at first, this
>>> is to prevent people from signing up to something like google and sending
>>> on your behalf with the default google DKIM key and a wide open SPF policy.
>>>
>>> With DMARC:
>>> DKIM : headers must match domain or else fail
>>> SPF:  2 or more headers must match domain or else fail
>>>
>>> Without DMARC:
>>> DKIM: just needs to be signed by sending mail server
>>> SPF: just needs to be send from a valid sender
>>>
>>> Depending on your needs, I would recommend putting SPF in soft fail,
>>> DKIM in relaxed mode and DMARC in reporting mode only for the first 15-30
>>> days and see how your traffic looks and who is sending on your behalf. Once
>>> you have a comfortable baseline, start to tighten up your policies.
>>>
>>>
>>>
>>>
>>> On Mon, Aug 29, 2016 at 9:51 AM project722 <project722 at gmail.com> wrote:
>>>
>>>> What about DKIM only? Can it be used instead of, or, as a "replacement"
>>>> for SPF? For example mails are signed with DKIM from the SMTP servers, and
>>>> the receiving servers are checking both SPF and DKIM. If the receiving
>>>> server detected a missing SPF would it allow mail through if DKIM is
>>>> present and valid? I suppose a lot of this depends on the SPF policies
>>>> enforced on the receiving side.
>>>>
>>>> On Mon, Aug 29, 2016 at 1:53 AM, Dave Warren <davew at hireahit.com>
>>>> wrote:
>>>>
>>>>> The easiest answer is: Whatever you want. Strictly speaking,
>>>>> alphazulu.com can send mail on behalf of foxtrot.com using a
>>>>> alphazulu.com DKIM selector, and that's perfectly valid under DKIM.
>>>>> However, it won't have DMARC alignment, which is becoming more and more
>>>>> important, so if alignment is relevant, you'll need to use a
>>>>> foxtrot.com selector.
>>>>>
>>>>> tl;dr: Use a foxtrot.com selector unless you simply can't.
>>>>>
>>>>> As for who generates it, it's irrelevant. The sending server will need
>>>>> the private key, your DNS records will contain the public key, but it makes
>>>>> no difference if foxtrot.com creates the keys and delivers them to
>>>>> the appropriate parties, or if alphazulu.com generates generates a
>>>>> private key and provides the alphazulu._domainkey.foxtrot.com record
>>>>> to foxtrot.com.
>>>>>
>>>>> Remember that you can have as many selectors as you want, don't reuse
>>>>> them across trust boundaries (in other words, consider that in the future,
>>>>> foxtrot.com and alphazulu.com may part ways, when that happens, it's
>>>>> ideal if you can remove the selector from your DNS (after a period of time,
>>>>> at least a week), such that alphazulu.com cannot continue to sign
>>>>> mail. It's also ideal if you don't have to update DKIM records elsewhere in
>>>>> your infrastructure.
>>>>>
>>>>> I hope at least some of this makes sense, but if not, ask. DKIM and
>>>>> DMARC are fiddly, and a lot of the DKIM advice out there isn't entirely
>>>>> complete now that DMARC is on the scene and DMARC builds on top of DKIM and
>>>>> SPF.
>>>>>
>>>>>
>>>>> On Sun, Aug 28, 2016, at 16:13, project722 wrote:
>>>>>
>>>>> Lets say my domain is foxtrot.com and we have SPF records for the
>>>>> SMTP servers on foxtrot.com. Now lets say I have decided I want to
>>>>> allow alphazulu.com to send mail as foxtrot.I know how to add
>>>>> alphazulu.com to the SPF but If I wanted to also use DomainKeys or
>>>>> DKIM to authenticate alphazulu.com would the keys need to be in
>>>>> foxtrots name or alphazulu? For example,
>>>>> Would I use:
>>>>>
>>>>> _domainkey.foxtrot.com.                  IN TXT          "t=y\; o=~\;"
>>>>> xxxxxxx._domainkey.foxtrot.com.           IN TXT          "k=rsa\;
>>>>> p=xxxxxxxxxxx
>>>>>
>>>>> or
>>>>>
>>>>> _domainkey.alphazulu.com.                  IN TXT          "t=y\;
>>>>> o=~\;"
>>>>> xxxxxxx._domainkey.alphazulu.com.           IN TXT          "k=rsa\;
>>>>> p=xxxxxxxxxxx
>>>>>
>>>>> Also,
>>>>> 1) Who generates the keys? Foxtrot or Alphazulu?
>>>>> 2) Would I need both SPF and keys or would keys alone be enough to
>>>>> authenticate the other domain? ( I am in a position where I would like to
>>>>> use only keys)
>>>>> 3) Which one is better to use in terms of provider checking? For
>>>>> example, are providers even checking keys as much as they are SPF?
>>>>>
>>>>> *_______________________________________________*
>>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>>>> unsubscribe from this list
>>>>>
>>>>> bind-users mailing list
>>>>> bind-users at lists.isc.org
>>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>>>> unsubscribe from this list
>>>>>
>>>>> bind-users mailing list
>>>>> bind-users at lists.isc.org
>>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>>>
>>>>
>>>> _______________________________________________
>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>>> unsubscribe from this list
>>>>
>>>> bind-users mailing list
>>>> bind-users at lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160829/285442e6/attachment.html>

More information about the bind-users mailing list